On Tue, Oct 02, 2012 at 11:00:53AM +0100, Stuart Henderson wrote:
> On 2012/10/01 22:56, Lawrence Teo wrote:
> > This diff adds an rc.d script for Snort.
> >
> > It also modifies the pkg/README file to mention the rc.d script, and
> > adds a note that rules need to be present in /etc/snort/rules for Snort
> > to work as an IDS (since `/etc/rc.d/snort start` will fail if rules
> > don't exist in that directory).
>
> > An up-to-date set of rules is needed for Snort to be useful as an IDS.
> > These can be downloaded manually or net/oinkmaster can be used to
> > -download the latest rules from several different sources.
> > +download the latest rules from several different sources. By default,
> > +these rules are expected to be present in the ${SYSCONFDIR}/snort/rules
> > +directory as defined by RULE_PATH in ${SYSCONFDIR}/snort/snort.conf.
>
> It would be nice to give a specific example of commands that could be
> run to download some rules to get started and see it working, preferably
> without having to register - I found various talk about "community rules"
> but didn't find anywhere they could actually be downloaded - do you know
> of anything that might be suitable?
You may use the rules from the emerging threats project at
http://rules.emergingthreats.net
With oinkmaster (which is in ports) you could use for example
url =
http://rules.emergingthreats.net/open-nogpl/snort-2.9.0/emerging.rules.tar.gz
in oinkmaster.conf and then add the rules files to snort.conf.
Regards,
Markus
